How to handle WAF Rules for me as a SecDevOps engineer and thoughts and challenges in Enterprise Environments as we transition to cloud.

[Kai Thorsrud]

Hi,

​

I do complete terraform deployments with more or less all features available.

I have developed seperate Modules that

​

• Deploys a Netscaler in azure
• Configure an entire netscaler according to best practise (With A+ ssllabs)
• Deploy Botnet Protection
• Deploy WAF
• Deploy OAuth 2.0 v2 MSAL for applications
• Deploy a web application (or any application with any protocol with or without custom monitors)
• Deploy OAuth 2.0 v2 MSAL JWT with Token Cache so i can protect legacy API´s as a modern API Gateway
• Deploy CAG for XenApp / XenDesk with SAML to connect with Storefront+FAS
• Handle Certificates for all Applications and updating them as they change

​

My upcoming challenge will be:

• How to handle WAF Rulesets for persistent deploys.
• In a Blue/Green or Canary Environment i need to be able to handle rules (beeing learned data) using code to have a consistent ruleset

 

Beeing able to deploy WAF rules using code is a big plus as independent audits and revisioning of our internet exposed infrastructure becomes possible.

Zero Trust is the key for me. Nothing enters our network w/o proper authentication from Azure. Once Authenticated and Authorized WAF+BotNet = key.

​

Do you have any advice on how to solve these challenges ? In a real life enterprise scenario this is a challenge to solve. Netscaler is a big business enabler for enterprises since all code cannot be refactored easily. Such a migration is a 5-10 year challenge. Netscaler really bridges the gap in a hybrid environment

​

[Sumanth Lingappa]

Hello @Kai Thorsrud​, great to see you in the community.

Can you please help me understand -

Do you need help from the WAF feature OR the terraform?

Sumanth

[Kai Thorsrud]

Hi and thank you for your time to answer me.

I need help with this.. This is not supported by your terraform provider. See link in the bottom of this post

I was supposed to have a meeting with Konstantinos Kaltsas where i wanted to demonstrate how cool Netscaler can actually be in large real life scenarios.

We scheduled meetings 3 times and every time i had to cancel because i am so busy with work. Now i am even more busy,

This post is the best i am able todo.

(I code,sleep,eat,workout to get stronger and stronger,family, repeat)

https://github.com/citrix/terraform-provider-citrixadc/issues/1037

[Kai Thorsrud]

Btw: I do run all on github + azure devops. i use pipelines.

[Morten Kallesøe]

Hi Kai, is Dynamic learning client not what you are looking for?

I read the post on github, and from my understanding of it, you are contradicting your self, you want persistent configuration steps of the learned data, but learned data is dynamic, so how would you store that in a persistent world?

I am like the others, also a little bit lacking exactly what is missing.

[Kai Thorsrud]

Hi morten. A pure dynamic learning client creates ineffective rules, duplicate rules and also if you have an infected client you can feed the WAF with security issues.

Furthermore in real life scenarios whenever i use dynamic learning clients the ns.logs will fill up with dynamic learning client detecting new rules and whenever the NS tries to add the rule Netscaler will report "Rule Already exisists".

Dynamic Learning is not mature yet.

Typically what i do is to construct manual WAF Rules because they are more effective than dynamic rules. i.e take a swagger definition and create rules from that, then use knowledge of HTTP, HTML, my SANS Certifications on redteam/blueteam work to implement rules.

[Kai Thorsrud]

This is how i do cloud environments with Netscaler:

see attached drawing